The present application relates to a method of handling potentially malicious communication activity, a computer program product for enabling performance of such a method, and an apparatus for handling potentially malicious communication activity.
One of the hazards faced by servers and other communication devices that are exposed to public networks, such as the Internet, is that they may be subject to a Denial of Service (DoS) attack. During a conventional DoS attack, a number of remote hosts send a large amount of traffic to the server, in an attempt to overwhelm it.
A standard approach taken to deal with such attacks is rate-limiting. This involves categorizing incoming traffic into a set of source groups based on the source Internet protocol (IP) address, assigning a permitted maximum rate of incoming traffic per group, and rejecting any traffic from the group that would cause the rate limit to be exceeded. Unfortunately, this approach has a number of drawbacks.
One drawback is that state has to be stored in memory for each source group. Another drawback is that if the granularity of the source grouping is too small—in the extreme if there is just one IP address per group—then the grouping may take up a prohibitively large amount of memory.
However, if the traffic rate limit of a particular source group is exceeded, traffic is dropped from all traffic sources in the group. If there is one malicious traffic source in the group and several legitimate traffic sources, traffic from the legitimate sources is dropped along with the traffic from the malicious traffic source. The larger the granularity of the source group—that is the more source IP addresses there are in the source group—the larger the scope for collateral damage caused by blocking traffic from legitimate sources.
Most systems, therefore, trade off these two considerations. In general, they tend to use relatively large source groups in order to avoid running out of memory. However, this comes at the cost of potentially denying service to a substantial number of legitimate traffic sources that are in the same source group as the malicious traffic source.
It would be desirable to provide an improved method of and apparatus for handling such traffic.